Patrick Awuah, Program Manager
David Lazar, Senior Systems Engineer
September 1994
Remote Access Service (RAS) is Microsoft's strategic solution for connecting today's mobile workforce to corporate networks. Optimized for client-server computing, RAS is implemented primarily as a software solution, and is available for all of Microsoft's operating systems. Microsoft's goal for RAS is to enable remote networking out of the box with the Microsoft® Windows® operating system, thus making Windows the best platform for mobile computing.
The goals in designing RAS were to make it:
Secure
Interoperable
Economical
Scalable
High performance
Easy to use
Extensible
Remote Access Service (RAS) is designed to provide transparent network access for PCs running the Microsoft® Windows® operating system. Users run the RAS graphical phone book on a remote PC and initiate a connection to the RAS server via a locally-installed modem, X.25, or ISDN card. The RAS server, running on a Windows NT™ Server-based PC connected to the corporate network, authenticates the users and services the sessions until terminated by the user or network administrator. All services that are typically available to a LAN-connected user (including file- and print-sharing, database access and messaging) are enabled via the RAS connection. The following figure depicts the RAS architecture.
Note that the remote clients use standard tools to access resources. For example, the Windows File Manager is used to make drive connections, and Print Manager is used to connect printers. Connections made while LAN-connected via these tools are persistent, so users don't need to re-connect to network resources during their remote sessions. Because drive letters and Universal Naming Convention (UNC) names are fully supported via RAS, most commercial and custom applications work without any modification.
Connectivity is achieved in one of three ways: via a standard modem, ISDN, or X.25. The asynchronous modem is the most popular means of connecting, with ISDN emerging as a high-speed alternative. X.25 is a standard for many companies doing business internationally.
In understanding the RAS architecture, it is important to make the distinction between RAS and remote control solutions, such as Cubix® and PC Anywhere™. RAS is a software-based multi-protocol router; remote control solutions work by sharing screen, keyboard, and mouse over the wire. In a remote control solution, users share a CPU or multiple CPUs on the server. The RAS server's CPU is dedicated to communications, not to running applications.
This architectural difference has significant implications in two areas: scalability and software applications architecture. In the area of scalability, consider the differing approach to increasing the capacity or performance of a remote-control server. For best performance, an additional or upgraded CPU or PC would need to be purchased for every port to be added or upgraded. With RAS, additional ports can be added without upgrading the server PC. When it does require an upgrade, the RAS Server would generally get additional RAM, a far less costly approach than with remote-control. With Windows NT, a single server can scale easily to support hundreds of remote users, using far fewer hardware resources than a remote control solution.
In the area of software applications architecture, the RAS client normally executes applications from the remote workstation. Contrast this with the remote control client, which runs applications from the host-side CPU. The RAS arrangement is better suited to graphical, client-server-based applications, and because network traffic is reduced, the user achieves higher performance.
Remote control is, however, useful in non-client-server environments. Appendix B of this document explains what client-server computing means, why RAS works extremely well in a client-server environment, and why remote control may be better suited for non-client-server environments. Appendix B also shows how RAS and remote control can be deployed together to take advantage of their unique advantages, and most importantly, demonstrate how corporations can design their remote computing systems in anticipation of their migration to client-server computing.
Microsoft's Remote Access Server first shipped with LAN Manager 2.1 in 1991. It was included with the Windows NT 3.1 operating system, and has now been significantly enhanced for Windows NT 3.5. RAS features the following capabilities:
Multi-protocol routing via PPP support
Internet support
Improved integration with Novell® NetWare® networks
Large capacity
Software data compression
Data encryption
Availability of the RAS APIs
Multi-protocol routing via PPP support
The underlying RAS architecture has been enhanced to allow clients to run any combination of NetBEUI, IP, or IPX during a RAS session. This means that Windows Sockets and NetWare-aware applications, as well as NetBIOS applications, can be run remotely. The Point-to-Point Protocol (PPP) is used as the framing mechanism on the wire. Using PPP enables a high degree of interoperability with existing remote access services.
Internet support
RAS enables Windows NT and Windows 95 to provide complete on-ramp services to the Internet. A Windows NT Server 3.5-based PC can be configured as an Internet service provider, offering dial-up Internet connections to a client workstation running Windows NT 3.5 or Windows 95. A PC running Windows NT Workstation 3.5 can dial into an Internet-connected PC running Windows NT Server 3.5, or to any one of a variety of industry-standard PPP or SLIP-based Internet servers. Microsoft expects the tremendous growth in Internet access to continue, and is committed to providing operating systems that can easily access the Internet.
Improved integration with NetWare networks
Windows NT 3.5 and RAS fully integrate into a NetWare network. The RAS clients are running IPX and/or NetBIOS, so all applications that typically work when directly connected to the network continue to work when remotely connected. And the RAS server now supports IPX routing, so remote clients can gain access to all NetWare resources via the RAS server.
Large capacity
Windows NT Server 3.5 now supports up to 256 simultaneous connections, up from 64 in version 3.1. Details of the configuration, system requirements, and performance are presented later in this paper. The Windows NT Workstation continues to provide a single RAS connection, primarily for personal use or for very small networks.
Software data compression
Software data compression in RAS allows users to boost their effective throughput. Data is compressed by the RAS client, sent over the wire in a compressed format, and decompressed by the server. In typical use, RAS software compression will double effective throughput.
Data encryption
Remote Access Service now provides data encryption, in addition to password encryption, to provide a high measure of privacy for sensitive data. Although most customers may choose not to enable encryption, government agencies, law enforcement organizations, financial institutions, and others will benefit from it. Microsoft RAS uses the RC4 encryption algorithm of RSA Data Security, Inc.
RAS APIs
In April 1994, Microsoft published the 16-bit and 32-bit RAS APIs, which allow corporate developers and solution providers to create custom, remote-enabled applications. Applications which establish the remote connection, use network resources, and reconnect in the event of a communications link failure can now be economically developed and deployed. Applications developed today using these tools will be compatible with Windows 95, Windows NT Workstation and Server 3.5, and Windows for Workgroups 3.11.
Security
Corporate and government organizations, deploying remote access solutions across the enterprise, require varying degrees of security, from virtual public access, to total discrete control. Microsoft's Windows NT, with its Remote Access Service, offers all of the tools necessary to implement whatever degree of security is desired.
Microsoft's RAS provides security at the operating system, file system, and network levels, as well as data encryption and event auditing. Some of the security features are inherited from the Windows NT operating system, while others are specific to RAS itself. Every stage of the process-such as user authentication, data transmission, resource access, log off and auditing-can be secured. The next section will describe RAS security in detail.
First and foremost, Windows NT Server, the host for RAS, must be understood as a secure operating environment. Windows NT was designed to meet the requirements for C-2 level (U.S. Department of Defense) security, meaning that access to system resources can be discretely controlled, and all access to the system can be recorded and audited. A Windows NT Server-based computer, provided it is secured physically, can be totally locked-down from a software perspective-any access of the system will require a password and leave an audit trail.
Windows NT provides for enterprise-wide security using a trusted domain, single-network logon model. A domain is simply a collection of servers that are administered together. Trusted domains establish relationships whereby the users and groups of one domain can be granted access to resources in a trusting domain. This eliminates the need for duplicate entry of user accounts across a multi-server network. Finally, under the single-network-logon model, once users are authenticated, they carry with them their access credentials. Anytime they attempt to gain access to a resource anywhere on the network, Windows NT automatically presents their credentials for them. If trusted domains are used, users may never have to present a password after initial logon, even though their account exists on one server in one domain only.
The single-network-logon model extends to RAS users. RAS access is granted from the pool of all Windows NT user accounts. An administrator grants a single user, group of users, or all users the right to dial into the network. Then, users use their domain logon to connect via RAS. Once users have been authenticated by RAS, they can use resources throughout the domain and in any trusted domains.
Finally, Windows NT provides the Event Viewer for auditing. All system, application, and security events are recorded to a central secure database that, with proper privileges, can be viewed from anywhere on the network. Any attempts to violate system security, start or stop services without authorization, or gain access to protected resources are recorded in the Event Log and can be viewed by the administrator. Microsoft's RAS makes full use of the Event Viewer in Windows NT.
Authentication
One of the most important concerns that corporate customers express relative to security is in the area of authentication. We will attempt to answer here some of the most frequently asked questions, such as:
How can we ensure the privacy of passwords?
Can we use our own security mechanism in addition to that provided by RAS feature of Windows NT?
Is callback supported?
Authentication protocols
The Challenge Handshake Authentication Protocol (CHAP) is used by the Remote Access Server to negotiate the most secure form of encrypted authentication supported by both server and client. CHAP uses a challenge-response mechanism with one-way encryption on the response, the most secure form of encrypted authentication available. CHAP allows the RAS server to negotiate downward from the most-secure to the least-secure encryption mechanism, and protects whatever passwords are transmitted in the process.
Level of Security Type of Encryption RAS Encryption Protocol
High One-way CHAP, MD5
Medium Two-way SPAP
Low Clear-text PAP
CHAP allows different types of encryption algorithms to be used. Specifically, RAS uses DES and RSA Security Inc.'s MD5. Microsoft RAS uses DES encryption when both the client and the server are using RAS. DES encryption, the U.S. government standard, was designed to protect against password discovery and playback. Windows NT 3.5, Windows for Workgroups, and Windows 95 will always negotiate DES-encrypted authentication when communicating with each other. When connecting to third-party remote access servers or client software, RAS can negotiate SPAP or clear text authentication if the third-party product does not support encrypted authentication.
MD5, an encryption scheme used by various PPP vendors for encrypted authentication, can be negotiated by the Microsoft RAS client when connecting to other vendors' remote access servers. MD5 is not available in the RAS server.
SPAP, the Shiva Password Authentication Protocol, is a two-way (reversible) encryption mechanism employed by Shiva. Windows NT Workstation 3.5, when connecting to a Shiva LAN Rover, uses SPAP; as does a Shiva client connecting to a Windows NT Server 3.5. This form of authentication is more secure than clear text, but less secure than CHAP.
PAP uses clear text passwords and is the least sophisticated authentication protocol. It is typically used if the remote workstation and server cannot negotiate a more secure form of validation.
The Microsoft RAS server has an option that prevents clear text passwords from being negotiated. This enables system administrators to enforce a high level of security.
Third-party security hosts
RAS supports third-party security hosts. The security host sits between the remote user and the RAS Server, as pictured below:
The security host generally provides an extra layer of security by requiring a hardware key of some sort in order to provide authentication. Verification that remote users are in physical possession of the key takes place before they are given access to the RAS Server. This open architecture allows customers to choose from a variety of security hosts to augment the security in RAS.
As an additional measure of security, RAS offers call back. Call back security enables administrators to require remote users to dial from a specific predetermined location (for example, their telephone at home) or to call back a user from any location, in order to use low-cost communications lines. In the case of secured call back, the user initiates a call and connects with the RAS Server. The RAS Server drops the call, then calls back a moment later to the predetermined call back number. This security method will generally thwart most impersonators.
Network Access Restrictions
Remote access to the network under RAS is under the complete control of the system administrator. In addition to all of the tools provided with Windows NT Server (authentication, trusted domains, event auditing, C2 security design, and so on), the RAS Administrator tool gives an administrator the ability to grant or revoke remote access privileges on a user-by-user basis. This means that even though RAS is running on a Windows NT Server-based PC, access to the network must be explicitly granted for each user who is to be authorized to enter the network via RAS.
The procedure to grant remote access is illustrated below to show that it is an easy process, but one that helps protect the network from unauthorized access.
1. Start the Administrator's utility by double-clicking the Remote Access Admin icon.
2. From the Users menu, Choose Permissions.
3. Select the Users that you want to grant Remote Access Permissions to, then click the check box. Grant dial-in permission to user.
This process ensures that remote access must be explicitly granted, and provides a convenient means for setting call back restrictions.
In order to further protect customers' networks, RAS provides an additional measure of security. The RAS Administrator provides a switch that allows access to be granted to all resources that the RAS host machine can see, or just resources local to that PC. This allows a customer to tightly control what information is available to remote users, and to limit their exposure in the event of a security breach.
Data Encryption
Data encryption in RAS is designed to protect customers' data and ensure secure dial-up communications. This is especially important for financial institutions, law-enforcement and government agencies, and corporations that require secure data transfer. With data encryption, your data will be kept private.
For installations where total security is required, the RAS administrator can set the RAS server to force encrypted communications. Users connecting to that server would be forced to encrypt all data sent.
Security Conclusion
Corporate customers and other users who are implementing remote access solutions have a justifiably high level of concern about security. RAS leverages and extends the security provided by the Windows NT operating system, and provides the tools to create a totally secure, yet highly functional, remote LAN access solution.
Interoperability
Because LANs are evolving quickly from islands of information to fully-connected networks of diverse operating systems, protocols, and file systems, Microsoft has defined interoperability as a key feature in Windows NT and RAS. Microsoft understands customers' needs for interoperability, and has concentrated on the following areas to ensure smooth integration into the heterogeneous networks of today and tomorrow:
Flexible hardware options
PPP: An underlying protocol for interoperability
A ramp to the Internet
Seamless integration with NetWare networks
Interoperability with other third-party remote access vendors
Flexible Hardware Options
Remote Access Service offers the broadest hardware support of any remote access vendor. Currently, more than 1700 PCs, 300 modems, and 11 multi-port serial adapters are supported. By selecting a remote access solution with very broad hardware support, customers can gain flexibility in their system design. A complete listing of the hardware devices supported by RAS can be found in the Windows NT Hardware Compatibility List (HCL). The HCL ships with Windows NT, and can also be found on the Microsoft Download Service (206-936-MSDL) or on CompuServe® (GO WINNT).
Point-to-Point Protocol: The Enabling Technology
Previous versions of RAS functioned as NetBIOS gateways. Users would make their connections using NetBEUI/NetBIOS, and then inherit other protocols from the server. This enabled users to share network resources in a multi-vendor LAN environment, but prevented them from running applications that relied on the presence of a protocol other than NetBEUI on the client side. The enhanced architecture is as follows:
Although this architecture continues to support the NetBIOS gateway, it also offers some exciting new possibilities. This architecture enables clients to load any combination of NetBEUI, IPX, and TCP/IP. Applications written for the Windows Sockets, NetBIOS, or IPX interface can now be run on a Windows NT Workstation. This architecture will be the basis for the RAS client in Windows 95 as well.
Multi-protocol routing is just one of the benefits of Microsoft's move to the Point-to-Point Protocol (PPP) in RAS. The PPP is a set of industry standard protocols that enable remote access solutions to interoperate in a multi-vendor network. PPP support in Windows NT 3.5 and Windows 95 means that workstations running Windows can dial into remote networks through any industry standard PPP server. It also enables a Windows NT Server to receive calls from, and provide network access to, other vendors' remote access workstation software.
And although multi-protocol support is an important new feature of RAS, NetBIOS gateway support continues to be an important part of its feature set. An example of the NetBIOS gateway capability is remote network access for Lotus® Notes® users. Although Lotus Notes does offer dial-up connectivity, dial-up is limited to the Notes application only. RAS complements this connectivity by providing a low-cost, high-performance remote network connection for Notes users that not only connects Notes, but offers file and print services and access to other network resources.
Many customers who are interested in PPP interoperability are also concerned with SLIP. SLIP, the Serial Line Internet Protocol, is an older communications standard found in UNIX environments. SLIP does not provide automatic negotiation of network configuration; it requires user intervention. It also does not support encrypted authentication. Microsoft has chosen to support SLIP on the client side, so that the clients running Windows NT Workstation 3.5 may dial into an existing SLIP server. RAS does not provide a SLIP server in this release of Windows NT Server.
Perhaps the most exciting development in networking during the 1990s has been the explosive growth in Internet usage. The latest figures indicate that over 20 million people have access to this world-wide network. The Internet's diverse services appeals to a broad spectrum of business people, academics, government users, and others, and is the best model in existence today of the "Information Superhighway" of tomorrow.
Today, more and more companies are turning to the Internet to conduct their business. The Internet provides a public domain network that spans the world. Businesses can gather information, share electronic mail, collect research data, house information data banks, distribute software, participate in special interest groups, and get daily news and market services over the Internet. Users can send electronic mail or documents that are normally sent through overnight express services. Companies that sell products or services can set up an Internet host computer that supplies potential customers with product information, an area to place orders, or access to a bulletin board with the latest technical information. For example, Microsoft has an Internet server (ftp.Microsoft.com) to distribute software, provide product fixes, and supply technical articles.
The Internet provides the curious user with a colossal list of topics from which to choose. An astronomy buff can learn about the Hubbell Space Telescope; a traveler can find out the weather in Dallas; a prospective student can access college and university brochures on-line. The Internet has a collection of computers that have information on meteorology, science, art, geology, medicine, law, physics, technology, geography, and more.
Traditionally, connecting to the Internet has been a difficult process that is daunting for a beginner. Early tools such as FTP and TelNet featured character-based commands suited for the technical elite who knew how to connect and maneuver through the intertwined network with 32-bit IP addresses. Today's tools such as Gopher and World Wide Web provide front-end viewers that allow users to scan through and search for information without much knowledge of where information resides and without having to log on to the source computer.
With Windows NT and RAS, Microsoft provides an operating system that fully supports the Internet. There are several different scenarios for connecting to the Internet using Windows NT and RAS:
Using Windows NT and RAS, a user can make an IP over PPP connection to practically any Internet host. Speeds of 2400 baud up to 128 KBPS are supported. Once the RAS connection is established, the user can choose from a variety of tools, from the traditional, non-graphical to those that fully exploit the Windows interface.
A business can establish a RAS server with direct connections to the Internet. The server can be isolated from the rest of the corporate network to provide for security. Users can dial one number for access to the Internet, and one number for access to the corporate LAN.
An Internet service provider can set up a "Rent-A-Net" service that provides a shared Internet connection, plus value-added services, such as electronic mail and fax gateways, custom databases, software distribution, and other custom applications. RAS is a very good solution for this scenario because it offers up to 256 connections at very high speeds, with a variety of protocols and client software supported.
Microsoft has a reputation for providing easy-to-use operating systems and software. We plan to continue this approach with Internet access-providing the best solutions available for mobile computer users.
NetWare Interoperability
For most customers, the ability for remote users to gain access to Novell NetWare services is at the top of the requirements list for a remote access solution. Microsoft is working hard to make RAS a viable solution for networks using both Windows NT and NetWare.
Workstations running Windows NT 3.5 and Windows 95
The client enhancements described above allow Windows NT Workstation 3.5 and Windows 95 remote users to function as full IPX clients. Applications designed to run in an IPX environment are fully supported. The configuration on the Windows NT Workstation-based PC would include the IPX application, CSNW (Client Service for NetWare, the Windows NT requester for NetWare), the NWLink (IPX-compatible) transport, and RAS.
On the server, the NWLink transport and RAS are loaded. This allows IPX packets to be routed to NetWare-based servers, so users can connect transparently to NetWare resources. There is no need to load the Gateway Services for NetWare (GSNW).
For the client running Windows NT Workstation 3.5 or Windows 95, the remote session proceeds as follows: The user starts the machine, loads the graphical RAS phone book, initiates the RAS session, enters his or her credentials, is authenticated by the RAS server, goes to File Manager, and then browses NetWare resources. If the user's credentials are the same for Windows NT Server as they are for NetWare, then they need to enter their password only once during the session. The connectivity is transparent, so that from the user's perspective there is no indication that they are using a Windows NT Server (non-NetWare) dial-up connectivity solution.
Windows for Workgroups 3.11, Windows NT 3.1, and RAS 1.1 Workstations
Previous versions of RAS (included in Windows NT 3.1, Windows for Workgroups 3.11 and RAS 1.1) only had the capability of running NetBEUI. These clients (henceforth called downlevel RAS clients) were not able to run IPX over RAS links as Windows NT Workstation 3.5 and Windows 95 can.
Windows NT Server 3.5, with Gateway Services for NetWare, enables downlevel RAS clients to connect to NetWare servers even though they cannot directly access NetWare via the IPX protocol stack.
On the RAS server, the NWLink transport, Gateway Services for NetWare (GSNW), and RAS are loaded. Once the GSNW is installed, the administrator mounts NetWare volumes from the Windows NT Server using File Manager, and then shares the mounted drives using GSNW from the GSNW control panel. (For the sake of simplicity, this document says that Gateway Services for NetWare should be installed on the RAS server. In practice, the Gateway Services for NetWare can be installed on any Windows NT Server 3.5-based PC on the LAN, not just the RAS server.)
To the downlevel RAS client, the remote session proceeds as follows: The user starts the machine, loads the graphical RAS phone book, initiates the RAS session, enters his or her credentials, is authenticated by the RAS Server, goes to File Manager, and then browses Windows Network resources. The user then connects to the NetWare drives, which appear as Windows NT Server drives by virtue of the Gateway Services for NetWare. The connectivity is transparent, so there is no indication from the user's perspective that he or she is connecting to a NetWare server.
Third-Party Interoperability Options
With the inclusion of PPP in RAS, Microsoft can now offer interoperability with a variety of third-party remote access solutions. This enables PCs running Windows NT Workstation to connect to existing remote access servers, as well as RAS-based servers to come on-line without affecting existing client configurations.
In April 1994, Microsoft hosted PPP Bakeoff '94. Bakeoff '94 provided a venue for many PPP vendors to get together and test interoperability of their respective products, identify problem areas, and fix problems. The following PPP Consortium members participated in Bakeoff '94:
Advanced Computer Communications NEC America, Incorporated
3Com Corporation NetManage, Inc.
Cayman Systems Network Application Technology
Cisco Systems Network Systems, Inc.
Computone Corporation Networks Northwest, Inc.
Digital Equipment Corporation Novell
FTP Software, Incorporated Proteon
IBM Corporation Shiva Corporation
Institute for Information Industry Taipei, Taiwan Spry, Incorporated
Klos Technologies SunSoft
Lachman Technologies Telebit Corporation
Lantronics, Incorporated Wellfleet Communications
Microsoft Corporation Xylogics
Morning Star Technologies Xyplex Incorporated
To ensure interoperability of your current remote access solution with Windows NT 3.5 and Windows 95, contact your remote access vendor for their latest software update based on the results of PPP Bakeoff '94.
In addition to participating in the PPP Bakeoff '94, Microsoft has conducted follow-up calls with individual vendors to retest our products, and has also installed the following products in our labs permanently for interpretability testing.
Remote access servers:
3Com Access Builder
Cisco PPP Routers
Shiva LAN Rover 2.0
Telebit NetBlazer
Remote access clients:
FTP OnNet 1.1 (beta version)
NetManage Chameleon 4.1
Shiva ShivaRemote 3.1a
Interoperability Conclusion
Microsoft is committed to achieving interoperability with other vendors' remote access products via PPP. A tremendous amount of effort has gone into interoperability testing and will continue in future versions of Windows and Windows NT operating systems as well.
Scalability
This section will detail how RAS can effectively scale from 1 to 256 users on a single PC. First, we will discuss the scalability of Windows NT Server, the host platform for RAS. Next, we will discuss the details of a 256-port test of RAS performed by Microsoft prior to shipping Windows NT 3.5. Finally, cost comparisons will be provided that compare RAS with typical software and hardware solutions, showing estimated costs for various numbers of users.
Windows NT Scalability Overview
Because Remote Access Service (RAS) is hosted by the Windows NT platform, it inherits the scalability built into Windows NT. Windows NT was designed to scale from a departmental server for several users running on inexpensive hardware, to a symmetric multi-processing enterprise-wide super-server. Windows NT scales to multiple CPUs, gigabytes of RAM (even across to the RISC platform) running on machines based on MIPS® and DEC™ Alpha AXP™ processors.
At the high-end, Windows NT supports a number of fault-tolerant features required for mission-critical operations. For example, disk striping with parity (RAID 5) support allows hardware configurations that provide a high level of recoverability from disk failures. Other features such as multi-threaded asynchronous I/O, UPS support, disk duplexing, and automatic system restart in the unlikely event of a crash allow customers to deploy high-capacity, highly reliable servers.
The Windows NT Performance Monitor also promotes scalability. As demands on a system increase, bottlenecks typically appear. Because of the complexity of modern PC hardware, there are hundreds of potential chokepoints for a server. Performance Monitor allows an administrator to set counters on a variety of system resources on a local or distant Windows-based NT server, and then to receive alerts when performance thresholds are reached. This powerful tool is also open, so that software added to a Windows NT-based system (including RAS) can install its own counters into the Performance Monitor object list.
Details of Large Scale Internal Testing
Shown below is a diagram of the RAS configuration tested by Microsoft prior to the release of Windows NT 3.5. This test was designed to demonstrate that a server running RAS could scale to meet customer needs, and to provide configuration guidelines to customers deploying RAS on a large scale.
The test environment consisted of the following:
Remote client machines, running a mixture of MS-DOS®, OS/2®, Windows 3.1, Windows for Workgroups 3.11, Windows NT 3.1, and Windows NT Workstation 3.5.
A RAS-based server with two Digiboard EPC Controllers. The RAS server was configured to use 128 ports on each of the EPC Controllers.
Clients running IPX, NetBEUI, and IP; both single-stack and in various combinations.
The RAS-based server running NWLink (IPX-compatible transport), TCP/IP, and NetBEUI.
Tests consisted of workstations dialing in, running network tests, and then disconnecting. The peak number of simultaneous connections registered was 108.
The clients ran four different types of applications:
File copy and compare with the PC running Windows NT Server 3.5
SQL Server on Windows NT, table updates and queries
FTP sessions to a Windows NT Server
Microsoft's internal stress tests
Communications equipment:
Digiboard EPC Serial Adapter
US Robotics V.32bis QUAD Digital rack mounted modems
11 T1 lines connecting the modem bank to public telephone network
256 RS232 Serial cables connecting the modem bank to Digiboard EPC
RAS server configuration recommendations:
32 ports or less
Intel 486/66 or greater with 32 MB RAM
RISC (DEC Alpha AXP, MIPS) with 48 MB RAM
64 ports or less
Dual Processor Intel® Pentium™ with 64 MB RAM
RISC (DEC Alpha AXP, MIPS) with 64 MB RAM
More than 64 ports
Dual Processor RISC (DEC Alpha, AXP, MIPS) with 64Meg RAM
In order for a remote network access solution to make sense for broad deployment, it must scale to support the needs of various workgroups. In all cases, remote access should be reliable, economical, and able to support a variety of user tasks. Microsoft's Remote Access Service leverages the scalability and fault tolerance of Windows NT, and has been shown to scale well to its full rated capacity of 256 users.
Cost Comparisons
In order to assist customers who are evaluating remote network access solutions, we have prepared a comparison showing pricing from three vendors, Microsoft, Novell, and Shiva. Microsoft and Novell offer software-based solutions, while Shiva provides a hardware solution. Because of this, hardware costs were added to the Microsoft and Novell software costs to come up with an apples-to-apples comparison. The hardware used was the Digiboard EPC, the same product used in the RAS scalability tests described above.
It is important to note that modem costs were not considered for the purpose of this comparison. However, modem costs would be the same for each solution.
1 8 16 32 64 256
Microsoft Windows NT Server (1) 2,684 (2) 3,825 4,506 8,010 (3) 18,825 (3) 56,620 (3)
Novell NetWare Connect (4) 2,544 5,040 7,735 12,185 24,370 97,480
Shiva LAN Rover/E 2,899 3,999 7,998 15,996 31,992 127,968
All prices shown $US, ERP. All prices subject to change.
1. Price calculation assumes that a Windows NT Server network is not in place, thus requiring purchase of extra user licenses. If Microsoft network clients have already been purchased, then the total software cost for RAS will be only $700 per RAS server.
2. Based on the cost of one Windows NT Workstation; all other prices based on one Windows NT Server.
3. Lower prices may be available via Microsoft Select volume purchase program.
4. Prices are for NetWare Connect only; NetWare servers would be extra, as would extra user licenses for NetWare.
Hardware Configuration Estimates for NetWare Connect and Windows NT Server
In order to provide complete cost information, hardware cost was factored into estimates for Microsoft RAS and Novell NetWare Connect. The following assumptions were made about hardware configurations:
Numberof Ports NetWare Connect Windows NT Server
1 1 PC 486/33 16Meg RAM 1 PC 486/33 16Meg RAM
8 1 PC 486/33 16Meg RAM1 Digiboard PC/8e Adapter 1 PC 486/33 16Meg RAM1 Digiboard PC/8e Adapter
16 1 PC 486/33 16Meg RAM1 Digiboard EPC Adapter with 16 ports 1 PC 486/33 16Meg RAM1 Digiboard EPC Adapter with 16 ports
32 1 PC 486/33 32Meg RAM1 Digiboard EPC Adapter with 32 ports 1 PC 486/33 32Meg RAM1 Digiboard EPC Adapter with 32 ports
64 2 PCs 486/33 32Meg RAM2 Digiboard EPC Adapters with 32 ports each 1 PC Dual Pentium 64Meg RAM1 Digiboard EPC Adapter with 64 ports
256 8 PCs PC 486/66 32Meg RAM8 Digiboard EPC Adapters with 32 ports each 1 PC Dual RISC 64Meg RAM2 Digiboard EPC Adapters with 128 ports each
Hardware Cost Estimates:
486/33 with 16Meg RAM $1,949
486/33 with 32Meg RAM $2,050
486/66 with 32Meg RAM $3,100
Dual Pentium with 64Meg RAM $11,000
Dual MIPS R4X00 $11,000
Dual Alpha with 64Meg RAM $25,000
Digiboard PC/8e Adapter (8 ports) $795
Digiboard EPC Adapter (16 ports) $1,295
Digiboard EPC Adapter (32 ports) $3,090
Digiboard EPC Adapter (64 ports) $4,885
Digiboard EPC Adapter (128 ports) $15,460
Remote Access Product Cost Estimates:
Shiva LAN Rover/E
4 Port $2,899
8 port $3,999
Microsoft Windows NT Server
Base Server $700
User License $35/user
Novell NetWare Connect
2-user $595
8-user $2,195
32-user $5,995
The cost comparison is shown graphically:
Microsoft RAS is an economical solution, offering savings for networks of any size, and significant savings when maximum capacity is required.
Performance Comparisons
In order to assist customers who are evaluating remote network access solutions, here is a performance comparison from three vendors: Microsoft, Novell, and Shiva. Given the relatively lower bandwidth, low speed networks available for remote computing today, remote access solutions need to be very efficient about managing data traffic. Efficiency is achieved by data compression and intelligent I/O management at the remote access server.
Prior to releasing Windows NT 3.5, Microsoft conducted performance tests comparing Windows NT Remote Access with Shiva LAN Rover 2.0 and NetWare Connect 1.0. Microsoft RAS proved to be the best performing solution. The test consisted of dialing into the network and then simply recording the time taken to transfer various files.
The test results are shown below.
Test Configuration
In order to ensure fairness, identical hardware was used for testing whenever possible. Windows NT Server 3.5 and NetWare Connect 1.0 server ran in dual boot mode on the same server.
For Shiva and Windows NT Server 3.5 testing, the same workstation was used. This was possible because both Shiva LAN Rover and Microsoft RAS support the PPP standard. It was not possible to use the same workstation for the NetWare Connect 1.0 testing because NetWare Connect does not support PPP.
Shiva LAN Rover 2.0
9600 baud modem
Modem compression enabled
Windows NT Workstation 3.5 running IPX over PPP
Novell NetWare Connect 1.0 running on NetWare 4.01
9600 baud modem
NetWare Connect software compression enabled
MS-DOS 6.2-based workstation running NetWare Connect dial in client software
Microsoft Windows NT Server 3.5
9600 baud modem
Microsoft RAS software compression enabled
Windows NT Workstation 3.5 running IPX over PPP
Conclusions
Mobile computing is a critical aspect of doing business today. Microsoft is committed to building operating systems that address this need, both on the desktop and the server. Microsoft's Remote Access Service, in both Window NT 3.5 and Windows 95, is designed to provide comprehensive dial-up connectivity for corporate networks and the global Internet.
RAS is Microsoft's strategic mobile computing technology, and provides the following key features that make Windows and Windows NT great remote computing operating systems:
Transparent network access
Multi-protocol support (TCP/IP, IPX, and NetBEUI)
Ease of use
Advanced, reliable security
Excellent performance
Scalability from the workgroup to the enterprise, and to the global Internet
Comprehensive wide-area networking (public telephone, ISDN, and X.25 networks)
Programmability via Windows RAS Application Programming Interfaces (APIs)
Perhaps most importantly, RAS preserves your investments by using industry standard protocols that ensure interoperability with non-Microsoft remote access solutions.
Appendix A. Product Capabilities Matrix
This product capabilities matrix provides a comparison of functionality for all RAS platforms.
# of Ports Protocols WAN Options
MS-DOS (RAS 1.1a) 1 NetBIOS Async, X.25
Windows for Workgroups 3.11 1 NetBIOS Async, X.25, ISDN
Windows NT 3.1 1/64 (1) NetBIOS Async, X.25, ISDN
Windows NT 3.5 1/256 (1) NetBIOS, IP, IPX Async, X.25, ISDN
Windows 95 1 NetBIOS, IP, IPX Async, X.25, ISDN
1. The first number given is for Windows NT Workstation, the second is for Windows NT Server.
Data Encryption Compression Authentication
MS-DOS(RAS 1.1a) No Modem MS Encrypt, Callback
Windows for Workgroups 3.11 No Modem MS Encrypt, Callback, 3rd Party
Windows NT 3.1 No Modem MS Encrypt, Callback, 3rd Party
Windows NT 3.5 Yes Modem, Software MS Encrypt, Callback, 3rd Party
Windows 95 Yes Modem, Software MS Encrypt, Callback, 3rd Party
Appendix B. PPP RFCs
Windows NT 3.5 and Windows 95 implement the following RFCs:
1144 Compressing TCP/IP Headers (Van Jacobson header compression)
1332 IP Control Protocol
1334 Authentication Protocols
1547 Requirements for PPP
1548 PPP
1549 PPP in HDLC
1055 SLIP
1552 IPXCP
1570 LCP Extensions
Draft NBFCP
Draft PPP over ISDN
Draft PPP over X.25
Appendix C. The Move to Client-Server Computing (Remote Node vs. Remote Control)
This section explains client-server computing, why RAS works very well in a client-server environment, and why remote control may be better suited for non-client-server environments. This section also shows how RAS and remote control can be deployed together to take advantage of their unique advantages, and most importantly, demonstrates how corporations can design their remote computing systems in anticipation of their migration to client-server computing.
Client-Server Computing
Client-server computing is a new networking computing model that optimizes network usage, and greatly facilitates data analysis and decision making by end users.
Client-server networks are composed of back-end servers that are responsible for data storage, organization, and retrieval, and front-end systems running applications that manipulate, analyze, and present data to the user in an intuitive way.
In the example below, the SQL database server is responsible for data storage, record locking and so on. The client computer runs an application that is compliant with the Open Database Connectivity (ODBC) standard and asks for specific information from the server. The server retrieves data and sends it back to the client. The client application then manipulates and displays the information to the user, using various functions of productivity tools such as the Microsoft Visual Basic® programming system, Microsoft Excel, Lotus 1-2-3®, and others.
Network traffic in this model is limited to:
A query from the client workstation
Specific data requested by the client workstation
This approach to networking reduces congestion on corporate networks, as well as remote workstations that are connected via RAS.
Non-Client-Server Computing
In older LANs, data access and retrieval has not typically followed the client-server networking model. In this model, a server stores data in a database, and client workstations run applications that are responsible for directly manipulating the database (for example, opening the database, locking records, and so on). In this model, the client application does more work than in a client-server model. Furthermore, the client application opens the entire database, and typically downloads a large portion of the main database into workstation memory.
In the non-client-server model, because applications open entire databases and so on, network traffic is not optimized. This puts a heavy load on the corporate network, and drastically affects performance of remote attached workstations that are connected via relatively slow links.
In this environment, it becomes useful to adopt the remote control approach for dial-up networking. With remote control, a client computer connects to a "host" and takes over the screen and keyboard of the host. With this model, the data transferred between the two machines consists of key strokes and screen updates. This will typically be less data than an entire database.
Using RAS and Remote Control Simultaneously
Remote control applications can run on the LAN. Therefore, by definition, they can work over RAS connections that simply extend the LAN to remote locations.
By running remote control applications over RAS, the user gains the advantages of RAS in a client-server environment, in addition to being able to run non-client-server applications with relatively adequate performance. The key advantages that the user gains by using RAS with their remote control applications are:
Modem pooling for incoming calls
Migration path to client-server computing
RAS compression
Single access point for security, including all the advanced security options that RAS provides
RAS wide-area networking support (telephone, X.25, and ISDN networks)
Most remote control solutions today work with MS-DOS and will work with Microsoft RAS 1.1a workstations. Contact your remote control vendor for information on 32-bit networking support availability for Microsoft Windows. With 32-bit networking support, remote control applications will be able to run on Windows for Workgroups 3.11 RAS and Windows 95.
Appendix D. Resource Directory
This resource directory provides contact information on many of the vendors listed in this article. It is not intended as an all-inclusive list of RAS-related products.
Digiboard
6400 Flying Cloud Drive
Eden Prairie, MN 55344
(612) 943-9020
Multi-port Serial Adapters, ISDN Adapters
SpartaCom
10 Ave du Quebec - BP537
91946 COURTABOEUF CEDE
FRANCE
Tel: +33 1 69 07 17 80
Fax: +33 1 69 29 09 19
SpartaCom USA
1951 Airport Road
Suite 211
Atlanta, GA 30341
Tel: (404) 455 0701
Fax: (404) 457 9500
Modem Sharing Software for Windows NT Server
Eicon Technology Corp.
2196 - 32nd Avenue (Lachine)
Montreal, Quebec H8T 3H7
Canada
(514) 631-2592
X.25 Adapters
NetManage, Inc.
20823 Stevens Creek Blvd.
Cupertino, CA 95014
Phone: (408) 973-7171
Fax: (408) 257-6405
Terminal Emulation, File Transfer, X Windows, E-mail, NFS, TN3270, BIND, SNMP
Security Dynamics
One Alewife Center
Cambridge, MA 02140 USA
Phone (617) 547-7820
Fax (617) 354-8836
Advanced network security and authorization products
Digital Pathways Inc.
201 Ravendale Drive
Mountain View, CA 94043-5216
Phone (415) 964-0707
Fax (415) 961-7487
Advanced network security and authorization products
Racal
480 Spring Park Place
Suite 900
Herndon, Virginia 22070
Phone (703) 437-9333
Fax (703) 471-0892
Advanced network security and authorization products